Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Chapter II PRIVACY, SECURITY, AND CONFIDENTIALITY TERMINOLOGY In a discussion of privacy, security, and confidentiality, a few terms need to be distinguished with precision. First are those related to tax matters. Until the Tax Reform Act of 1976, tax returns were public records but generally open to inspection only uncler executive orders or regulations promulgated by the Internal Revenue Service. Furthermore, prior law provided a number of specific situations in which tax returns could be disclosed, and appropriate definitions were contained in regulations rather than in law. The 1976 Act stipulates that "Returns and return information shall be confidential, and except as autho- rized by this title (1) no officer or employee ofthe United States, (2) no officer or employee of any State or of any local child support enforcement agency who has or had access to returns or return information under this section, and (3) no other person (or officer or employee thereof who has or had access to returns or return information ..., shall disclose any return or return information obtained by him in any manner in connection with his service as such an officer or an employee or otherwise or under the provi- sions of this section. For purposes of this subsection, the term 'officer or employee' includes a former officer or employee." In addition, the Act defines a number of crucial terms including return, return information, taxpayer identity, and disclosure. In the language of the Act, the term return means "any tax or information return, declaration of estimated tax, or claim for refund required by, or provided for or permitted under, the provisions of fthis] title which is filed with the Secretary on behalf of, or with respect to any person, and any amendment or supplement thereto, including supporting schedules, attach- ments, or lists which are supplemental to, or part of, the return so filed." The term return information includes a "wide variety of things, among them a taxpayer's identity, the nature, source, or amount of his income, payments, receipts, decluc- tions, exemptions, credits, assets, liabilities, net worth, tax liability, tax withheld ..., whether the taxpayer's return was, is being, or will be examined ..., or any other data, received by, recorded by, prepared by, furnished to, or collected by the Secretary with respect to a return." Significantly, however, the Act provides that "Data in a form which cannot be associated with, or otherwise identified, directly or indirectly, twith] a particular taxpayer" is not considered return information, and therefore is not regarded as confidential. The phrase taxpayer return informa- tion refers to return information that is "filed with, or furnished to, the Secretary by or on behalf of the taxpayer to whom such return information relates." Taxpayer identity includes the "name of a person with respect to whom a return is fileci, his ' The Tax Reform Act of 1976 (Public Law 94-455) was signed by the President on October 4, 1976. The relevant portion of the Act is Section 1202, which subsequently became Section 6103 of the Internal Revenue Code. The discussion given here is based in part on the language of the Act, Title 12 Section 1202; and in part on the discussion in "Summary of the Tax Reform Act of 1976," pp. 52-53, a document prepared by the Stab of the Joint Committee on Taxation, October 4, 1976. 6
7 mailing address, Land] his taxpayer identification number" either an indiviclual's Social Security account number or a tax account number issued especially for fRS's purpose. Finally, the term disclosure means "making known to any person in any manner whatever a return or return information." In subsequent subsections, the Act provides explicitly to whom and under what . circumstances tax information may be disclosed. Thus, as a result of the passage of the Tax Reform Act of 1976, the legal status, protection, and disclosure controls for tax returns and tax information are markedly improved. Confidentiality is a status accorded to information that indicates it is sensitive for some reason and therefore must be properly protected and controlled. In the computer system context, the simple term security or the more elaborate terms computer security or computer-system security refer to all the measures necessary to protect physically the hardware, software, data, personnel, and other facilities associated with the system, and to implement controls to ensure that information from the system is divulged only to authorized users. Thus, computer security is largely a technical matter of many dimensions, but it is overlaid with personnel, procedural, and administrative aspects. In contrast, the term privacy or the more elaborate ones recor~keeping privacy or persona, privacy refer to an information- use issue relating in general to an involvement of the individual in certain aspects of recor~keeping. The Privacy Act of 1974 permits an individual access to his record to verify or challenge its contents in the expectation that such involvement will tend to ensure the accuracy of the record, and in turn the fairness of determinations made about an individual. Furthermore, the Act accords the citizen a modest level of control over recor~keeping in federal agencies by requiring that new recor~keeping sys- tems, or new uses of old systems, be described in the Federal Register a prescribed period of time before implementation. To summarize, the confidentiality of tax information is in part ensured by computer-system security safeguards, which in turn permit the Internal Revenue Service to fulfill the obligation of such legislation as the Privacy Act of 1974 and the Tax Reform Act of 1976. Regrettably, the terms confidentiality, security, and privacy are not always used with precision. For example, an unauthorized disclosure of tax information would strictly be a breach of confidentiality, but unless such disclosure influenced a determination about an individual in an unfair way, it would not be a privacy infraction in the precise sense of the term. On the other hand, it would reveal personal information about an individual, which in a broad sense would be re- garded as a breach of privacy. In the example, security safeguards might have been penetrated by some clever means; but on the other hand the improper disclosure might well have been an unauthorized action of some individual authorized to receive information from the system something computer-system security safe- guards cannot guard against. PERTINENT LAW In protecting, handling, and disclosing tax information, the Internal Revenue Service is governed by a variety of laws. In particular, the Privacy Act of 1974, the Tax Reform Act of 1976, ant! the Freedom of Information Act of 1968 are of direct
8 concerns In brief, the Privacy Act provides an individual access to his record in the interest of accuracy and fairness while at the same time stipulating certain record- keeping requirements upon the Service. In contrast, the Tax Reform Act estab- lishes the confidential status of tax information as well as specifying disclosure controls. Thus, a matter that previously was subject to administrative actions of an agency is now controlled by law and the oversight mechanisms of Congress. The Tax Reform Act has obviously improve matters significantly with regard to the protection and disclosure of tax information. The Freedom of Information Act affects recor~keeping activities in yet another way by providing that the public may be granted access to certain internal docu- ments and records of an agency. The three items of legislation obviously overlap one another somewhat, and in some situations may conflict. Some conflicts have been adjudicated by court decisions. The Committee concludes that the existing legislative framework is an adequate foundation for protecting privacy and ensuring confidentiality, provided there is intelligent and good faith adn~inistration and interpreta- tion of the law. If subsequent events suggest that the present legislative framework contains am- biguities or that there has not been intelligent and good faith administration and interpretation of the current law, then such problems can be corrected by Congress at the timed PRIVACY PROTECTION STUDY COMMISSION POSITION The Privacy Protection Study Commission (PPSC) was created by Section 5 of the Privacy Act of 1974 and began work in July of 1975. It was a body created explicitly to examine the recor~keeping practices of organizations that handle data about people and/or make determinations about people on the basis of such records. It consisted of 7 appointed Commissioners supported by a staff averaging 25 in number. The Commission was directed by Congress to undertake a "study of the data banks, automatic data processing programs, and information systems of governmental, regional, and private organizations, in order to determine the stan- dards and procedures in force for the protection of personal information." Among other tasks it was asked to make such "legislative recommendations as the Commis- sion deems necessary to protect the privacy of individuals while meeting the legiti- mate needs of government and society for information." Section 5(c)~2~(B)(ii) of the Act required a report to the President and Congress as to "whether the Inter- nal Revenue Service should be prohibited from transferring individually identi- fiable data to other Federal agencies and to agencies of State governments." 2 Appendix A contains a brief summary and characterization of each law. 3 In Long v. IRS, 596 F.2d 362 (9th Cir. 1979), a federal appellate court recently suggested that the source material for the IRS Tax Compliance Measurement Program may be disclosable under the Freedom of Information Act. The source materials requested consist of information from individuals' tax returns, in the form of computer tapes and check sheets, but with all information identifying individual taxpayers deleted. The appellate court requested that the trial court determine whether the disclosure of' the source materials would entail a "significant risk of' indirect identification" and would, therefore, be exempt from Freedom of Information Act disclosure under the Internal Revenue Code. The Internal Revenue Service is concerned that this decision may have a negative eject on their ability to administer the tax laws and to maintain confidentiality of tax information.
9 Because the Commission was aware of Congressional interest in tax reform, it promptly directed its significant resources and talents to tax information disclosure issues. It made specific recommendations to the Congress, which listened carefully. The Commission worked closely with the Internal Revenue Service and (then) IRS Commissioner Donald C. Alexancler, and in June 1976 published an interim report entitled Federal Tax Return Confidentiality.4 In view of the concurrent examina- tion of the issue by the Commission and work of Congressional groups, it is not surprising that the Tax Reform Act of 1976 closely parallels in most respects the position expressed in the Commission's interim report. It recommended "the enact- ment of a federal statute more stringent with respect to disclosures of records made by the {RS than either the Privacy Act of 1974 or the confidentiality provisions of the Internal Revenue Code then in force. The recommended statute would consti- tute the Service's sole authority to disclose its records about individuals to other federal agencies and to agencies of state government."5 While there is some divergence between the Tax Reform Act of 1976 and the Commission position on such matters as the use oftax information in juror selection and the protection of information from third party sources, nonetheless "The Commission believes that its 1976 recommendations for TRS disclo- sure policy can serve as an example of the kind of particularized disclosure statutes that Congress should enact for certain types of government records that deserve or require special confidentiality protections. The Commission also believes that the rationale for its 1976 {RS recommendations, which is articulated here and in an appendix volume on federal tax return conficlen- tiaTity, exemplifies the kind of considerations that should be taken into account in enacting any federal confidentiality statute."6 The Commission goes on to observe that while "The Congress, in enacting Section 1202 of the Tax Reform Act, did not reach the same conclusions as the Commission in every detail, the Commis- sion approves without reservation the process by which the disclosure was formulated enactment of a statute by the Congress with opportunities for public comment and participation in its deliberation."7 Although not identical, the Commission's recommendations and the 1976 legis- ration are strikingly similar. The underlying principles of each of the four basic recommendations ofthe Commission form a cornerstone ofthe congressional enact- ment. Thus, the Commission and the Congress agreed that disclosure by the [RS of individually identifiable data should be permitted only when authorized specifi- cally by legislation unless otherwise directed in writing by the individual involved, that information disclosed to federal agencies be disclosed for the limited use appropriate to the purpose of the particular agency, that the TRS be required to adopt procedures so that the limited disclosure policy can be enforced, that informa- 4 Published in limited quantity at the time, it was later republished as the first portion of "The Citizen as Taxpayer" (July 1977, U.S. Government Printing Once, Stock No. 052-003-00422-4). The document is Appendix 2 of, and includes the chapter on tax information matters of, the Commission's overall report, "Personal Privacy in an Information Society" (July 1977, U.S. Government Printing Once, Stock No. 052-003-00395-3). It is a comprehensive treatment of the Privacy Protection Study Commission's views on tax administration recordkeeping. s Ibid, page 26. 6 Ibid, page 26. Also the principal report of the Commission, page 538. 7 Ibid.
10 tion disclosed be only that necessary to accomplish the precise purpose for which the request was made, and that a recipient be prohibited from redisclosing person- ally identifiable information without a specific written authorization from the affected individual. In fact, the Tax Reform Act requires that information be re- turned to the {RS or rendered nondisclosable after the precise agency purpose has been served. CLASSICAL PRIVACY vs. INFORMATION USAGE The definition of privacy given earlier reflects the recor~keeping context of the classical privacy issue as it developed in the United States through the late 1960s and 1970s. In particular, the debate always addressed the position of each individ- ual in his relation to recor~keeping systems that make determinations about him. With regard to the {RS taxpayer database, the privacy issue is covered by the Privacy Act of 1974, with which the Internal Revenue Service must conform. Since classical privacy is an information-use issue, it addresses in particular the way in which information may be used, the openness with which recor~keeping practices must be followed, and access by the individual to the record in behalf of accuracy, completeness, and fairness. The Tax Reform Act of 1976 also addresses information use, but significantly from the standpoint of all individuals collectively. The Tax Reform Act speaks to the use of the entire {RS database as well as the use of each individual record] therein. For example, the entire data base is stipulated to be confidential, and the external third parties to which the TRS may disclose any individual record are carefully specified. In this sense, the issue addressed by portions of the Tax Reform Act is somewhat different from the classical privacy matter. While the Privacy Act does provide for broad uses of a database about people, such uses are at the administrative discretion of the database holder; an appropriate notice-of-intent need only be published in the Federal Register 30 days prior to such new use. In contrast, the Tax Reform Act is explicit in stating for what purposes al! taxpayer information held by the TRS may be used and to whom and for what purposes it may be disclosed. Moreover, no agency has the discretion to make additional disclo- sures. The hearings and Congressional debates that accompanied the passage of the Tax Reform Act, together with the work of the Privacy Protection Study Commis- sion, in eject constituted an ad hoc forum for publicly debating the question: "What are the socially acceptable uses of tax information both within and external to the {RS?" In present governmental processes, there is no standing mechanism other than Congressional debate and hearings by which society collectively can decide to what use certain bodies of information may be put and how such bodies of informa- tion should be allowed to interface with one another for the benefit or well-being of society. It is correspondingly difficult to debate the companion question: "What uses of a particular body of information are distasteful to the country and to society and should be preempted or forbidden by law or other means?" The issue of socially accepted uses of a particular body of information is rarely separated clearly from the classical privacy issues. In view of such blurring of issues, discussion commonly addresses surrogate questions rather than the under- lying issues. For example, Congressional attention often is directed at details of
11 computer-system architecture or at choices of computer equipment, rather than at the fundamental issue of socially acceptable information use. Such a cautious dis- tinction between individual recor~keeping privacy and broad information-use policy is extremely important in limiting the technological options available to the {RS in its future computer-based recor~keeping. As examples of such blurring, the Committee was told of various "constraints" imposed on the {RS by the Office of Management and Budget and by expressions of Congressional concern. In each case, part of the difficulty was a failure to distin- guish carefully among privacy, security, and confidentiality. For example, one letter from a group of senators voiced concern about privacy issues connecter] with the IRS's proposed Tax Administration System of 1976. In fact, the central concern was not privacy. Rather the issue was partly one of computer security safeguards- namely, whether such a nationwide system with a large number of computer terminals could satisfactorily protect tax information. The letter also reflected an unexpressed concern about the exposure arid visibility of so much taxpayer infor- mation on so many terminals in so many places. Looked at in this light, therefore, the uneasiness expressed in the particular communication noted was a surrogate issue for both pivotal technical issues of computer security mingler! with a general conviction that tax information should not be quite so readily accessible to so many people. Because past expressions of concern from various sources have focused on surrogate issues, it is not surprising that the Internal Revenue Service finds itself unable to use certain technical computer-system options that might otherwise be attractive and sensible. For example, in the context of upgrading the microfilm system that stores past years of tax return information, a signed statement of agreement stipulates that there must be two physical breaks in any electrical connection between the National Computer Center at Martinsburg and the Service Centers. One solution would be a physical transfer of (say) a magnetic tape from one side to the other of each break.9 The impression left by such a stipulation is that it will somehow impede access to the master database at the National Comput- er Center in an unauthorized fashion. In truth, it at most delays improper access to the centralized database and erects no significant additional barriers. As a second example, the expressions of Congressional concern about the Tax Administration System implied that an electrical connection between Service Cen- ters and a centralized database would somehow increase the risk of unauthorized disclosure of tax information. Eliminating such electrical connections, however, does not block the exchange of data; it only increases the difficulty. It would still be possible for the {RS to exchange data with other agencies or for an individual acting in an unauthorized fashion to divulge information improperly. To be sure, it eliminates the risk of eavesdropping on the electrical communications, but all other risks continue unabated, especialIv these that tori. from the notir~nc nfn=~nlP in the system. -.~ ~ ~ ~ ^ ~ ~ ~ ~ ~ v ^ ~ ~ ~ ~7 ~ ^ e ~ ~ ~ ~ ~ 8 Letter dated December 20, 1977, from Senators Muskie, Ribicoff, Bayh, Percy, Abourezk, and Mathias to Honorable James P. T. McIntvr~? Jr Artino nir~rt~r ~fT;r.~ ~f~lVI~ ~ ~ lo. Inch _~ __. ~ ~ ~~ Use ~ ~J~11~ Vet 111111 ally ~uu~. q ~ ~ ~ Memorandum from Assistant Commissioner (Data Services) to Commissioner; June 30, 1978, "Final Memorandum of Understanding (OMB /IRS)." Also: Memorandum from Office of Management and Budget (Dennis O. Greene) to Department of Treasury (William J. Beckham, Jr.), June 9, 1978, including attachment dated June 7, 1978, entitled "Memorandum of Understanding Regarding IRS Long-Range Computer Modernization Plan."
12 A prohibition against electrical connections has the erect of shifting emphasis away from computer software and hardware security controls onto the administra- tive and procedural controls that govern the physical movement of such items as magnetic tapes or discs. Policymaking bodies apparently fee] significantly more comfortable with controls on objects or the behavior of people than with invisible computer software and electrical controls on access to computer data. In elect, a position against electrical connections is a de facto policy judgment that one kind of deterrence against misbehavior is acceptable and another one not. While such a judgment can be vigorously debated and a technical person will find it hard to accept, the Committee nonetheless accepted such agreements as part of a negotiated position and not to be challenged. Therefore, certain technical opportunities for improving the TRS computer-based record systems will neither be considered nor recommended in this report. THE BALANCE POINT A mission-oriented entity like the Internal Revenue Service will understand- ably strive to do its job with the maximum of thoroughness, efficiency, and effective- ness. On the other hand, from a policy point of view in other parts of government and in society as represented in Congress, it is not at all clear how much pressure the {RS ought to be allowed to put on the taxpayer. There is an unidentified and unexpressed tension between such a mission agency, struggling to do its job even better, and the environment that constrains it. The {RS fully understands the value of the tightest and most comprehensive set of computer monitoring processes imaginable, because thereby it could discharge its mission responsibility most thoroughly. Concerns about the Tax Administration System and about networking all centers were voiced in the name of privacy, but in fact they must reflect policy- makers' uncertainties about the use of computer technology to tighten the hand of government. For the {RS, it would mean ever increasing power to monitor taxpayer behavior. Computer technology plays a pivotal role in the tension just identified, because it makes possible the comprehensive recordkeeping for ever tighter tax administra- tion. Perhaps it is proper that the IRS must struggle clisproportionately hard to apprehend tax evaders in order to avoid tightening things so completely for all honest taxpayers that the system would resemble the Big Brotherism of Orwell's 1984. Constraints such as those suggested previously will be seen as foolish by tech- nologists, as inappropriate by system designers, and as impediments by an agency striving for more comprehensive service delivery. On the other hand, such posi- tions do have a positive social value and represent society's desire to preserve personal privacy and autonomy. They cannot be dismissed simply by the assertion that technology can readily make them unnecessary. Restrictions on system archi- tecture must be seen as reflecting the present attitude of the country and its leadership about what is acceptable with respect to additional computer-base(1 recordkeeping that takes from the individual more and more flexibility of behavior. On the other han(l, such constraints do have a bearing on privacy because they tend to deter unauthorized behavior. For the most part though, the erect is not of major significance because they do not markedly change the difficulty of misbehav-
13 ing, but only modify the speed with which it can be done. Whatever one believes about the collective eject of constraints as they exist? recor~keeping privacy is in no way involved. The issue rather is possible breaches of confidentiality, in turn related to violations of security safeguards. Thus, a dialogue very difficult to conduct in the first place, is further confused by imprecise use of terms; this leads to erroneous connections among issues, and thus to further confusion, and so on. While a feature of democratic government, the tension between a mission agency's drive to improve performance and the environment that seeks to balance and moderate such drive is not usually identified in connection with recor~keeping systems. Nor is it a clearly stated issue in the front line of debate; it is generally addressed in terms of various surrogate questions. The nation is struggling through an era in which social policy is confronted with the ever increasing use of computers; the fundamental issues are not clearly drawn, but commonly the cause of privacy is invoked as the country attempts to resolve the matter and achieve an appropriate balance point. In a sense, the issue raised here is analogous to the balance of power between the military forces of the United States and their civilian controla matter which the country understands well because it has for two hundred years thought about it, debated it, and cast it into the form of government. By contrast, the social implications of computerized recor~keeping have gradually been recognized only over the last 30 years, and it is little wonder that all of the interface issues are not understood. The matter is all the more difficult because recor~keeping practices have a way of causing un- foreseen and often subtle side ejects that were unintended within the original purpose of a recor~keeping system. The issue is further complicated by the fluid nature of societal views toward recor~keeping. When a social cause is perceived as desirable (for example, levying taxes on the so-called cash-only underground economy), then more comprehensive and stringent recor~keeping processes are seen as acceptable. Regrettably, how- ever, it is a one-way street; once more comprehensive recor~keeping practices and controls are in place, it is extremely difficult to remove them. Such a consideration reinforces the natural conservatism of a policymaker faced with uncertainty about the consequences of some computer-related action. The country has yet to conceive and put in place an explicit mechanism to balance the aims of a mission agency with extensive computer resources against society's desire for flexibility in individual behavior and freedom from oppressive recor~keeping practices. At present, due process of law is part of such a mechanism; Congressional debate and oversight is another; public reaction is a third. Perhaps these and other mechanisms in sum are sufficient to avoid government recordkeep- ing processes that invisibly dominate an individual's life. It remains to be seen. Another National Research Council reports has suggested to the National Weather Service that a particular computer system upgrade it is contemplating "must not be seen as a stand-alone replacement of computing machinery, but rather as one of the steps toward a future whose characteristics Can be] generally outlined . . . fend] the Committee concludes that consideration of system-level and architec- '° 'Technological and Scientific Opportunities for Improved Weather and Hydrological Services in the Coming Decade," National Research Council, Washington, D. C.: National Academy of Sciences, July 1980.
14 tural details of the information infrastructure that will support the National Weather Service in the future must be commenced now." Given the uncertain and dynamic balance point discussed here, a corresponding recommendation to the IRS would be unwise and inappropriate. The Committee concludes that the {RS must proceed slowly with its plan- ning for computer-based systems and pace its expectations to the willing- ness of the country and its leadership to accept increasingly comprehensive tax administration recor~keeping systems. It is not at all clear how this willingness is to be detected, much less predicted well enough in the long range. One obvious means is to propose a new system and see how it fares; in one sense, the Tax Administration System proposal in 1976 was just such a probe. On the other hand, the {RS might take an active role in a difficult area of governmental responsibility rather than being a follower. At a minimum, the TRS could certainly spearhead an effort to increase the public's awareness of tax administration and of the privacy and confidentiality issues that presently bewilder or escape the attention of many citizens. We express this conclusion knowing that comprehensive long-range planning is ordinarily necessary and proper. For a federal organization that does not deal with information about people, such a recommendation would have been among the first made by a committee like this one. However, for the Internal Revenue Service, which deals with perhaps the most sensitive body of information in the country, the normal expectations of the system planner and system architect sim- ply must be moderated by yet unresolved social issues. In this regard a recent report by the Office of Technology Assessments has raised an extensive set of issues and detailed questions that can well serve as a sieve through which the {RS might sift future proposals for tax administration computer systems, and that also could focus Congressional debate and public attention. A final note is in order. While it would seem to be in the interest of the TRS to press for more extensive computer resources to process tax returns and keep records, it must be remembered that this country has a voluntary income tax system that depends on the honesty of the taxpayer and is by its nature a very France entity. If the tax system were to be perceived by society as overbearing, there would be a risk of defection from voluntary tax payments, plus a risk that the Congress in response to public outcry would step in and change the system. On the other hand, if the computer support for tax administration is inefficient or overloaded, it can become too easy for a taxpayer to report income incompletely or to underpay taxes. The IRS has reported from time to time on cases in which people have knowingly filed inaccurate returns in the belief that the risk of being caught was small. Thus, a system eng~neer's goal would be to collect the optimal amount of taxes by striking a balance between the extra money that might be collected from a more t~ "A Preliminary Analysis of the IRS Tax Administration System" (March 1977, United States Congress, Office of Technology Assessment, Washington, D. C.: U.S. Government Printing Office). The report examines a proposed 1976 nationwide network with several thousand terminals to give tax administration personnel access to a comprehensive database. While the Tax Administration System is no longer an active proposal, the document is an excellent summary of the issues that surface when computer-based tax administration systems are examined by government procedures, plus a vivid demonstration ofthe difficulty in selling nationwide networks that deal with sensitive information about individuals.
15 comprehensive and tighter tax processing system plus the cost of operating it and the backlash of large underpayment of taxes because of a lax inefficient computer system. Looked at this way, it is indeed in the interest of the {RS and the Depart- ment of the Treasury to consider with care how far it wishes to proceed in tighten- ing the tax administration processes in the United States. COMMITTEE INPUTS In developing its internal policy on matters of privacy, security, and confiden- tiaTity, the {RS has established a comprehensive set of procedures and practices for its employees. For example, detailed handbooks give explicit guidance for respond- ing to requests under the Privacy Act or reacting to security breaches or threats of various kinds. Furthermore, there are management means for overseeing and enforcing procedures that derive from policy; there are, as well, mechanisms for overseeing policy generation and modification. The Committee has reviewed a variety of such documents, handbooks, and other materials that set forth policy and administrative regulations. In addition, it was briefed on the structure, functions, and authority of the Internal Security group and also the Internal Audit group. In addition, the entire Committee visited both the Atlanta Service Center and the National Computer Center at Martinsburg, West Virginia. On each of the site visits the Committee was carefully briefed on various security matters as well as on details of the mission and the job at the site. The Privacy-Security-ConfidentiaJ- ity Panel was particularly attentive to the physical arrangements and procedures for controlling such things as personnel movement and access and those for physi- cal protection of facilities, especially computer equipment and data. PRIVACY As noted earlier, the relevant legislation in this matter is the Privacy Act of 1974. Extensive sections of the administrative manuals specify rules governing precisely how the Service will respond to a request for information from a citizen. Over the operational lifetime of the Privacy Act, the {RS has received approximate- Ty 1,000 requests to see records, mostly from employees of the Service examining their own records. The modest number of external requests is not particularly surprising since individuals themselves furnish the information that finds its way into the tax database. Based on our examination of the relevant portions of administrative rules and manuals, as well as our understanding of the role of the IRS Internal Security and Internal Audit functions, The Committee finds that the IRS is properly fulfilling the obligations im- posed on it by the Privacy Act of 1974. Since privacy in the IRS context is really an information protection and disclosure issue, and since the latter is mandated by law in detail, the question "How are you doing in privacy?" is a surrogate for "How are you doing with system-wide security safeguards?"
16 One section of the Privacy Actl2 requires agencies to take "reasonable precau- tions" to protect the data they hold. This obligation is really a computer security matter and is discussed in the following section. COMPUTER SECURITY As noted earlier in the definition of the term, computer security includes the sum of all the ways and means for protecting physical facilities, computer hard- ware, computer software, communication circuits, personnel, and data against a defined threat. For an agency like the Department of Defense, a major component of the threat is espionage or sabotage by opponent countries. For the {RS, the threat is not so much activities of a foreign power as violations of the confidentiality requirements of the Tax Reform Act of 1976. The threat against {RS computer systems must emphasize such things as activities of disgruntIed~employees, unau- thorized acts of employees, and physical attacks by dissident groups. In systems like those of the TRS, in which manipulating the database or altering the software can have large financial consequences, fraud and embezzlement must be considered more likely occurrences, and therefore included in the threat to be guarded against. Computer system security requires diverse safeguards because so many dimen- sions of protection are required. Among them will be chain link fences, guard posts, personnel admission procedures, fire protection for computers, operational proce- dures to safeguard backup computer files, controls on access to the computer sys- tem and also controls embedded in it, administrative monitoring procedures to ensure that safeguards are intact and operational, vaults for magnetic tape storage, administrative procedures to limit access to computer terminals, and operational procedures to prevent computer programmers from accessing real data. Compre- hensive security requires physical, personnel, communication, computer hardware and computer software safeguards, all embedded in an appropriate administrative structure with proper procedures. With regard to the physical protection plus administrative and personnel aspects, the Committee finds that the security situation at the Atlanta and Martinsburg sites, which it visited, is very good. With respect to physical protection and procedures for admitting visitors and controlling personnel movement, the situation at Atlanta approximated that found in military installations and is better than those at many industrial organizations. We observed that the employees are very professional, proud of their work, well trained, have a good understanding of the importance of security as well as privacy, and understand the mission of the Internal Revenue Service. The Service is to be commended for its program to maintain high awareness of security issues in em- ployees, and in particular for the special actions necessary to reindoctrinate season- al part-time employees. On the other hand, as the IRS moves into a new era of vastly improved record- keeping systems, it must ensure that its posture with regard to security controls is the best possible and be able to demonstrate the fact to review and oversight bodies. t2 pa.. 93-579; Section 522a(e)(10).
17 The Committee recommends that the ]:RS conduct a thorough audit of all security features that safeguard its computer systems, its data and files, its personnel, and its facilities. Such an audit must examine not only the usual physical arrangements and procedures, administrative controls, and management oversight mechanisms, but also in the coming era, the safeguards embodied in computer hardware and soft- ware. While the IRS can undoubtedly conduct such a review internally, it would be advantageous to use external specialists who have broad experience with a variety of computer installations and situations. Computer software safeguards require special comment. They are highly tech- nical, and of necessity the Committee had to accept verbal descriptions of their details and functions. Subject to the limitations of the group in examining such technical matters in depth, we believe that proper procedures do exist to control access to sensitive databases, but we cannot submit technical evidence in support of this conviction. We discovered no evidence that would lead us to conclude that we were misted or presented with an incomplete story. With respect to software security, the Service Centers and the National Com- puter Center are quite different in nature. The Service Centers provide terminal access to databases for tax administration purposes and to serve the public. No computer programming takes place in such centers but life cycle support of oper- ational software does occur. Thus, the number of employees who could, in principle, modify the system or access sensitive data for unauthorized purposes is negligible. In contrast, the equipment at the National Computer Center supports a very large Toad of computer program development. Access to real data is sometimes essential and tight procedural mechanisms have been developed to control such access. To the extent that we were able to examine the matter again one with deep technical overtoneswe believe that the security safeguards governing program development on the Martinsburg computers and the access of programmers to real data are generally satisfactory and consistent with the state-of-the-art. It is important to observe, however, that the ability to implement more compre- hensive software safeguards at a Service Center or at Martinsburg is seriously constrained by the installed computer hardware and its corresponding software. When the equipment now at the Service Centers was installed, the commercial industry had been largely ignoring software security. Thus, the IRS had to desig and implement its own changes in the operating system software for its installed Service Center machines, a most unusual step at the time. Commercial vendors have only in recent years begun to provide computer hardware with appropriate security safeguards, and they are still struggling to provide complementary safe- guards in computer operating system (or executive system) software. The present vendor situation with regard to security-controlling software is especially relevant to the equipment replacement plan now uncler way. The Service may not be able to get satisfactory software security controls from commercial sources; it may find, depending on the outcome of the procurement process, that it will again have to make changes in operating system software. It is generally agreed that retrofitting operating system software with appropriate safeguards is technically very difficult. Many experts regard it as impossible to retrofit compre- hensive safeguards against attacks by a skilled and determined penetrator. Such a view is, of course, much more significant to an agency like the Department of
18 Defense, which must protect its systems against cleverly mounted attacks by tech- nically adept and well-financed foreign opponents. The Internal Revenue Service probably does not have to concern itself so much with deliberate attacks by a determined penetrator. The problem of software security safeguards is thus some- what more tractable, though not one the Service can minimize or be complacent about. Modifying contemporary operating system software is an extremely complex programming task that must rank high in technical risk. It must be given careful attention not only by the Office of Data Services but also in {RS management review and oversight proceedings that monitor the overall progress of the replace- ment effort. Although considerable work has been done by others on computer-system secu- rity, its results have been applied mainly to systems used by the military; presently available commercial computing systems are not immune to manipulation by ex- pert systems-level programmers who have authorized access to the overall system Since the Department of Defense has experience in both attempting to penetrate computer operating systems and developing methods for increas- ing the security of computer operating systems, the Committee recom- mends that the TRS seek its assistance in the computer security area. Given the present state-of-the-art in computer security and the centralization of all government research on the subject in the Department of Defense (DoD), it is essential that such experience be utilized. While its assistance cannot guarantee an invulnerable system, nonetheless DoD advice can greatly lessen the risk of serious and easily exploited vulnerabilities. The above comments on the manipulation of computer operating systems apply whether the computer is operated in an on-line interactive mode or in a batch mode. It follows that the proposed arrangement for providing physical breaks in the communication links between a computer and its remote access devices by no means makes it impossible for qualified experts to manipulate the computer. The breaks simply introduce a delay and accordingly make it only somewhat more awkward and possibly more difficult. Even so, time delays and a corresponding increase in difficulty are, of course, worthwhile deterrents and may well be enough to inhibit such manipulation particularly if a comprehensive audit trail system is in place and regularly used. Although the above discussion may not appear encouraging, it must be recog- nized that research and development in the computer security field is still continu- ing and that the matter is not wholly resolved. We recommend that the TRS carefully monitor computer security research efforts and exploit any results that can strengthen the in-place safeguards. SECURITY DURING CONVERSION In part, the essence of good computer security is a stable physical environment in which a stable work force carries out its work under stable procedures. Such circumstances significantly lessen the opportunities for security breaches. During the equipment replacement program, instability will of necessity occur because physical rearrangements will be taking place, operating system software and appli-
19 cation programs will be under revision, procedures may be changed, personnel will be retrained, and so on. Such changes may bring new opportunities for breaches of security. The Committee therefore recommends that the IRS create, as part of its overall planning for transition from the existing computer environment to its new one, a specific plan for heightening security awareness and oversee- ing the special security aspects of transition. Much of the responsibility for such planning will rest with the Office of Data Services, but the Internal Audit Division should also be involved, not only to be alert for new security weakness but also to probe for loopholes. There may in fact be opportunities for the Internal Audit Division to uncover existing security weak- nesses that have remained concealed. As an example of what might occur, consider a 1979 audit report that identifies a particular computer problem as "deficient programming." Such a characteriza- tion is, of course, somewhat imprecise, but, on the other hand, clever programmers who intend to manipulate the computer system in some unauthorized way can easily make misbehavior appear to be poorly done work. Such subtle ejects are extremely hard to judge; even detecting them will require heightened vigilance. The enormous effort of converting approximately 3.5 million lines of computer programs now in assembly language to corresponding programs in an appropriate higher order language will markedly increase the amount of program development activity that the National Computer Center supports. The Committee recommends that technical procedures and administrative means for controlling access to the National Computer Center computers, not only for program development runs but also for access to real data, be thoroughly reviewed for completeness, for possible loopholes, and other shortcomings. The recommendation simply reflects the observation that what may have been satisfactory at past levels of program development may not be equally satisfactory at the much higher levels that will be reached during the equipment replacement program. Program development for the Service Center Replacement System will be done in Washington, using a computer located physically at Martinsburg, West Virginia. Appropriate technical procedures and administrative controls for giving program- mers access to the computer and to live data will have to be developed. PERSONNEL THREAT Experts agree that the vulnerability of computer-based systems to attacks by system personnel is serious. The state-of-the-art for detecting seemingly autho- rized but actually unauthorized behavior has not yet fully developed. The security controls and audit traits throughout new operating system software as well as the revised application software need to be as comprehensive as possible. The Committee recommends that relevant expertise from inside as well as outside the IRS be used to ensure that the software security controls and audit traits will be consistent with the best state-of-the-art.
20 The task is a system-level design one that will demand the best technical atten- tion. In view of an unavoidable internal threat against computer systems and espe- cially in view of growing concern about fraud and embezzlement, The Committee recommends that the {RS review both at the National Computer Center and at the Service Centers the number of personnel positions identified as "critical sensitive." It is our understanding that only a single person at the National Computer Center is now so classified; this seems inappropriate given the Center's pivotal role. A "critical sensitive" position requires a so-called full-field investigation of the in- cumbent. Our recommendation is intended to enhance the trustworthiness of em- ployees with pivotal management and operational responsibilities. THE ROLE OF INTERNAL AUDIT Auditing computer-based systems is a profession that is less than 10 years old. The development of"EDP Audit," as it is called, has resulted from the need to audit through rather than around computer systems.~3 Professionally, EDP auditors are either traditional auditors who have been trained in computing skills or computer professionals who have been trained in audit procedures. Because the art is so new, because it combines two disparate disciplines that have not previously worked together, and because it has had to develop its own new techniques and tools, the profession's methods are still fairly primitive compared with those of traditional account auditing. There is still much to learn; many programming tools and meth- odolog~es have yet to be developed. For example, the four generally accepted EDP audit functions are to identify controls, to evaluate controls, to determine the functionality of controls, and to verify data. Of these, the last is the most completely developed; the others still require the conception and development of many tools. The Internal Audit Division of the TRS has an appropriate cross-section of skills classical auditors, computer specialists, and certified public accountants. The stab appears to be aware of the latest EDP audit techniques (e.g., the use of generalized audit software) and has high confidence in its professionalism and knowledge of the field. Staff members have attended many conferences and semi- nars and are conversant with the current literature.~4 On the basis of documents and discussions with appropriate people, the Com- mittee believes the Internal Audit staff to be adequate, but again stresses that the field is by no means fully enough developed to provide assurances as strong as those given by the traditional audit process in noncomputer situations. For example, there is some general confusion in the minds of internal auditors about their actual responsibilities. Do they design the controls, do they comment on the electiveness of existing controls, do they enforce compliance with controls, t3 "EDP" is electronic data processing. Other acronyms in use are ADP (Automatic Data Processing) and DP (Data Processing). t4 For example, "Computer Control and Audit" (1978); and "Systems Auditability and Control" (1977). Both published by Institute of Internal Auditors, 249 Maitland Ave., P.O. Box 1119, Altamonte Springs, Florida 32701.
21 or do they limit their duties to commenting on the extent of compliance with existing controls? The Committee also stresses that threats against a computer-based system and opportunities to use it in an unauthorized way are not necessarily analogous to those that exist in a manual system. There truly are new means for committing crime when the recor~keeping system is computer-based rather than manual, and EDP auditors must be alert to them. To return to a point made previously, the source selection decision for the equipment replacement program must include an assessment of the security safe- guards in vendor-proposed computer operating systems software. As noted above, it is an issue of great technical difficulty, and the {RS must bring to bear on the matter the best resources available both internally and externally. The Committee was told of a recently completed procurement in which the TRS Internal Audit Division's subsequent examination of security safeguards in the operating system revealed a substantial deficiency. The equipment replacement program for the National Computer Center and the Service Centers is a much larger undertaking and a correspondingly awkward situation must not be allowed to develop. In the source selection process, the {RS must examine with extreme care not only the adequacy of each vendor's computer operating system software security safe- guards but also the ease with which new ones can be added. The Committee suggests that the Internal Audit Division now contains specialized skills that can be exploited during source selection consider- ations and also exploited for conceptualizing software security controls and audit trails. The Internal Audit Division will be involved with operational audits of the new equipment and systems, and it seems wise to involve its personnel at the beginning to minimize the risk of future difficulties. The Committee notes that the United States Air Force maintains a group at Hanscom Field in Lexington, Massachusetts, that is widely used throughout the federal government to help in scoring and evaluating vendor proposals. Advice from such a specialized group shouicI also be obtained. Since the Internal Audit Division is so crucial to the assurances that the TRS can give its critics and its Congressional overseers about computer security, the Committee would fee] more comfortable if there had been an external review of the Division's capabilities. It is common industrial practice for external auditors to review the capabilities of internal auditors, not to repeat the internal audits but rather to assure management that the scope and performance of the internal function is adequate and appropriate. The Committee recommends that the Commissioner of the Internal Reve- nue Service invite the General Accounting Office to provide an independent assessment of the capability of the Internal Audit Division. We stress, however, that the present capability of the Division is not in question. Such an approach would, however, assure the Service that it has the best possible EDP audit function.
22 TECHNOLOGY AND THE FUTURE Contemporary telecommunications and computer technology can dramatically enhance the computer-based capability of the Internal Revenue Service. Major and difficult system engineering problems would have to be solved, but no {RS invest- ment in new technology would be required to achieve any desired level of nation- wide network-based computer support. A major system-level task would be to provide comprehensive security safeguards at the network level, a task more diffi- cult than safeguarding an individual computer system. On the other hand, exploiting technology in such a way inevitably brings risks. Tax information, for example, would likely be more visible and exposed to misuse simply because a larger number of terminals would make it easier. Furthermore, large amounts of tax information might be transmitted over communication cir- cuits where it could be intercepted another new risk. Various communication security techniques might become necessary. In the end, it is very difficult to balance the benefits of an improved level of recor~keeping against new security and privacy risks and against new social and political implications. Policy-making bodies at the federal level are not in a good position to struggle with such an intricate issue or even to debate it in a learned way. Given all the uncertainties about the future, especially with regard to social attitudes about privacy and information use, policymakers will inevitably err on the conservative side and opt for more traditional approaches to computer-based systems. It is unlikely, therefore, that giant leaps in technical sophistication will readily occur in computer-based nationwide networks. Such an observation is particularly perti- nent to the TRS, which deals with information viewed by citizen and government official alike as extraordinarily sensitive and demanding of the utmost in protection and controls over disclosure. In this sense, therefore, the now defunct Tax Adminis- tration System of 1976 was probably ahead of its time in terms of what the country, as reflected by Congress and various elements of the executive branch, could accept comfortably.
